Re: snort3: problem with http_inspect

["Tom Peters (thopeter)" <thopeter () cisco com>]

Marcin,

I¹m coming into this in the middle and apologies in advance if I have
misunderstood.

You should not configure http_inspect (the new HTTP inspector) and
http_server (the old HTTP inspector) at the same time. One or the other
should be commented out in snort.lua by -- or deleted entirely.

Tom



On 2/25/17, 2:05 PM, "Marcin Dulak" <marcin.dulak () gmail com> wrote:

> Hi,
>
> I have a problem with http_inspect,
> https://github.com/snortadmin/snort3/commit/a9f9bd38ced24da8196746074ef60a
> 73d3bf0438
>
> I make an HTTP request against the machine running snort/nfqueue:
>
> # curl -s -m 1 http://192.168.17.30/test
>
> and expect my sid:3000001 (see below) to be triggered, but only
> sid:4000003
> is triggered instead.
> My question is what am I missing to trigger sid:3000001 with the new
> http_inspect?
>
> Now, when in /etc/snort/snort.lua I use
> -- http_inspect = { }
> http_server = { }
>
> then all but sid:4000001 are triggered:


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!